Office of the Superintendent of Financial

Institutions

Internal Audit Report

On

Finance Revenue

November 2010
 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

Table of Contents

1. Background .................................................................................................................3

2. Audit Objective, Scope and Approach........................................................................4

3. Conclusion...................................................................................................................7

4. Observations and Recommendations ..........................................................................9

Management Response..........................................................................................................16

Appendix A - Revenue Control Criteria ...............................................................................19

Audit Report on Finance: Revenue 2 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

1. Background
Introduction Internal Audit conducts assurance work to determine whether Office of the
Superintendent of Financial Institutions Canadas (OSFI) risk management,
control, and governance processes, as designed and represented by
management, are adequate to ensure risks are appropriately identified and
managed.
The audit of Finance - Revenue was approved by the OSFI Audit Committee
and the Superintendent for inclusion in the OSFI 2009-10 Internal Audit Plan.
This report presents the results of that audit based on audit work completed at
the end of May 2010. The audit recommendations will support Finance to
continuously improve their control framework for revenue processing.

This report was presented to the OSFI Audit Committee and approved by the
Superintendent on November 9th, 2010. The Assistant Superintendent,
Corporate Services, and Finance senior management, who will provide their
management response within this report, have also reviewed it.

Context
The Office of the Superintendent of Financial Institutions Canada (OSFI)
recovers its costs through base assessments, pension plan fees, cost-recovered
services, and user fees and charges.
OSFIs ability to process revenue transactions and charge the Federally
Regulated Financial Institutions (FRFI), Regulated Private Pension Plans
(RPPP) and others is essential in OSFI being able to recover its expenses and
pay employees and operating expenses on a timely basis. In addition, the
Superintendent and the Chief Financial Officer, in part, rely on internal
controls over revenue transaction processing in order to provide assurance on
OSFIs internal controls as envisioned under the Treasury Board Policy on
Internal Control and Policy on Financial Management Governance.
OSFIs Finance Division (Finance) was re-structured in 2009-10 based on a
2009 study commissioned on the divisions workload in terms of volumes
experienced, conversion of financial and accounting policies to IFRS, staff
complement, experience and competency needs, and process improvements
needed.
For the 2009-10 fiscal year, OSFI had Revenue of some $102 million ($92
million, 2008-09). The revenue was composed of base assessments, cost-
recovered services, pension plan fees and user fees and charges as set out in
Note 2 - Revenue & spending authority, Note 4 - Significant accounting
policies and Note 17 - Revenue (and expenses) by Business Activity of
OSFIs 2009-10 Financial Statements.

Continued on next page

Audit Report on Finance: Revenue 3 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

1. Background, Continued
Revenue by Business Activity (,000)

2. Audit Objective, Scope and Approach

Audit The objective of this audit was to provide assurance on:

Objective
Revenue controls and management oversight as to the completeness,
accuracy and authorization of revenue transactions from initiation
through to processing, recording and reporting of revenues
How well and the degree to which revenue controls and management
oversight are being followed
Recording of revenue transactions into the accounts receivable,
general ledger accounts and management reporting systems

Audit
Scope The audit covered the Finance - Revenue control framework for the 2009/10
fiscal year including the implementation of a new Final and Interim
Assessment Calculation Tool (FIACT).

Continued on next page

Audit Report on Finance: Revenue 4 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

2. Audit Objective, Scope and Approach, Continued

Audit Scope
(continued) The scope included:
Improvements implemented during 2009-10 and those planned for
2010-11 in the areas such as conversion from Generally Accepted
Accounting principle (GAAP) to International Financial Reporting
Standards (IFRS), implementation of a new Final and Interim
Assessment Calculation Tool (FIACT), and restructuring of the
Finance Division.
Revenue processes from initiation of revenue streams, calculation of
assessments, fees, and charges, posting of invoices to Accounts
Receivable sub-ledger and the general ledger, and internal reporting as
well as billing adjustments and late & erroneous filing penalties.
OSFI revenue policy and applicable Government and GAAP policy
and accounting requirements.
Matters outside of the scope
A review of the information/data and related systems used for
initiating revenue transactions, except a review of completeness and
accuracy of the source information/data extraction.
A review of IT operations environment and related controls, known
as a general IT environment review.
A review of the general ledger and Accounts Receivable sub-ledger
functions, except posting of billings/ invoices, and control/balancing
of receivables/revenue to the general ledger.

Continued on next page

Audit Report on Finance: Revenue 5 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

2. Audit Objective, Scope and Approach, Continued

Audit
Approach
The audit was conducted in accordance with the Institute of Internal Auditors
International Standards for the Professional Practice of Internal Auditing,
consistent with the Treasury Board Policy on Internal Audit.
The audit criteria, as set out in Appendix A - Revenue Control Criteria, were
used for assessing the revenue policy, processes, and controls.
The audit work was conducted on a collaborative basis involving information
gathering, interviews with management and staff involved in supporting
processing of revenue transactions, examination of documents, testing of key
revenue processes, and interviews with Finance Division management & staff
and others involved in revenue processing.
To facilitate our work, we prepared revenue process maps (flowcharts) and
control profiles for some nine processes. The control profiles are tables
that match control objectives - completeness, accuracy, authorization and
review and approve - to the revenue processing phases - transaction initiation,
data extraction from supporting databases, and processing including
calculations, uploading of transactions (interface) and posting to the Accounts
Receivable and the General Ledger.
These revenue process maps and control profiles have been given to
Finance for use in their initiative of documenting existing revenue processes
and controls, and the evaluation and design of check and balancing
procedures and controls consistent with TBS Policy on Financial
Management Governance, Policy on Internal Control and Policy on Internal
Audit as well as generally recognized business application control standards
(e.g. Institute of Internal Auditors, Information Systems and Control
Association).

Audit Report on Finance: Revenue 6 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

3. Conclusion

Conclusion
Revenue process controls and monitoring practices are not adequate to ensure
revenue transactions are completely and accurately processed and recorded.
As a result, there is limited assurance that base assessments and pension plan
fees are accurate and complete, and allocated among the Federally Regulated
Financial Institutions and Federally Regulated Pension Plans accounts
respectively and that all revenue transactions are posted to the Accounts
Receivable.
Processes and controls were not documented and evidenced as to
performance. Because some controls are executed during an annual process,
the lack of documentation and retention of supporting reports reduces the
sustainability of the controls. Some key controls were not in place such as
balancing source data to the corporate records.
Without a detailed review of risk and control, management may not identify
the appropriate preventive, detective, and monitoring controls. Achieving
compliance with reporting on internal controls as prescribed by the TBS
Policy on Financial Management Governance and Policy on Internal Control
will be challenging.
A 2009 independent study of the nature and volume of finance and
accounting processing and reporting needs provided Finance with a road map
for establishing a renewed Finance group. The Executive approved the study
report, briefed the Audit Committee on its results and actioned the steps
recommended in the study.
Finance has made improvements and has initiatives planned or underway to
address the revenue process and control concerns identified in our audit. We
also note that Finance has put in place the resources needed to complete these
multi-teamed initiatives.
It is essential that Finance establish a formal revenue risk & control
assessment process with an accompanying continuous improvement program,
such that management oversight, co-ordination of the improvement
initiatives, and the design of control frameworks is managed on a
consolidated basis.

In order to address the areas requiring improvements, the participation of

managers and staff across the Office is needed as many of the improvements
affect other Sectors and Divisions that are involved in processing revenue
transactions.

Audit Report on Finance: Revenue 7 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

3. Conclusion, Continued

Conclusion
(continued)
A focused effort is required in:

Establishing a revenue process control framework incorporating

governance, risk management and control process requirements as set
out in Appendix A - Revenue Control Criteria
Establishing a risk management process for the revenue processes
consistent with OSFIs Enterprise Risk Management practices
Documenting revenue control processes and ensuring evidence of the
control performance
Identify (and provide) training for those involved in processing of
revenue transactions including Sectors and Divisions where revenue
transactions originate
The following governance and process controls were observed over OSFIs
revenue processes:

OSFI follows a comprehensive corporate planning process that includes

detailed revenue and cost budget development and approval
OSFI has appropriate revenue policy and guidance for financial
reporting purposes
The accrued and unearned revenue procedures are well structured,
managed, and documented
The management reporting was appropriate and provided on a timely
basis
The IT daily back-up routine for revenue systems and information is
appropriate

We wish to recognize the excellent rapport and exchange of views with all
involved in the audit. The depth of the review and focusing on what matters
would not have been possible without the support received throughout the
audit.

____________________________ _____________
Chief Audit Executive, A&CS Date

Continued on next page

Audit Report on Finance: Revenue 8 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

4. Observations and Recommendations

4.1 Observation: There is not a detailed risk and control review of the
Risk revenue process to ensure processes and controls are adequate.
Management
OSFIs Enterprise Risk Management (ERM) policy and processes are used
for the identification, assessment, and mitigation of risk at the Sector /
Division operations level with a roll up into an overall OSFI risk assessment
to the Executive. Key risk areas and actions taken are reviewed quarterly by
the Executive as well as included in OSFIs Annual Report. Within the
Corporate Services Sector, Finance level risks are identified, evaluated, and
mitigation steps are undertaken with quarterly updates and reporting.
Finances self-assessment of existing revenue processing identified areas of
concern such as undocumented processes and limited evidence that controls
were being carried out. Through interviews with Finance managers & staff
and a review of existing documentation, we confirmed Finances self-
assessment of undocumented revenue processes and existing controls.
In 2010-11, Finance will be implementing significant changes in the areas of
accounting policies as well as reviewing and documenting its revenue
processes and key controls. The Director of Finance indicated that such a
program would be established by the end of the year.
Without a detailed review of risk and control over revenue processing,
management may not identify the appropriate preventive, detective, and
monitoring controls. Achieving compliance with reporting on internal
controls as prescribed by the TBS Policy on Financial Management
Governance and Policy on Internal Control may become challenging.

Recommendation: Finance management should complete a detailed risk and

control review over revenue processing. The review should include manual
and automated controls from initiation through to posting to the Accounts
Receivable and the General Ledger to address the control objectives of
completeness, accuracy, and authorization.

Continued on next page

Audit Report on Finance: Revenue 9 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

4. Observations and Recommendations, Continued

4.2
Accountability Observation: There is not a designated individual who is responsible for
each revenue process.
Although Finance recognizes that it is responsible for revenue processing,
there is not a designated individual who is responsible for each revenue
process. Key to strengthening revenue processing and related controls is
Finance assigning a designated owner for each revenue process, who is
responsible for monitoring and oversight of the revenue processing and
controls from end-to-end.
Finance may not be able to determine if completeness, accuracy and
authorization, as well as management review and approval controls are
adequate to mitigate identified risk.
Recommendation: Assign a designated owner for each revenue process.

4.3
Development Observation: There is a need for training for those involved in initiation,
and training processing, reporting, and managing some nine revenue processes
program including Sectors and Divisions that initiate revenue transaction.

It is important for Finance and other Sectors and Divisions to be able to talk
the same processing and control language and understand their role in
processing revenue transactions. During the audit, Finance managers and
staff showed a strong commitment to implementing development programs
including cross-training of technical processing and financial control
practices and techniques.
A 2009 independent study of the nature and volume of finance and
accounting processing and reporting needs provided Finance with a road map
for establishing a renewed Finance group and for filling key positions. The
positions of Manager of Financial Operations and of Financial Reporting &
Systems and Manager of Financial Policy and Special Projects have been
filled bringing valued knowledge and experience on accounting and financial
systems and related controls. With new managers and staff, it is essential that
Finance identifies and documents the technical (processing and controls) skill
requirements and put in place development and cross-training programs to
ensure the transfer of knowledge.
During 2009-10, Finance implemented informal training including cross-
training to strengthen operation capacity and staff. For 2010-11 cross-training
of staff was incorporated into Goal Commitment Documents. Finance is

Continued on next page

Audit Report on Finance: Revenue 10 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

4. Observations and Recommendations, Continued

4.3
Development
committed to formalizing development and cross-training programs for most
and training positions during 2010-11 based on job positions jointly developed with
program Human Resources.
(continued)
Lack of training may result in staff not having the necessary processing
knowledge to ensure that operations related to revenue transactions are well
supported and understood by all, so that revenue is accurately recorded in
Accounts Receivable and accurately reported in management reports and un-
audited quarterly financial statements.

Recommendation: We strongly support Finances commitment in

developing and putting in place awareness and training programs for Finance
and others involved in managing and processing revenue transactions.

4.4 Observation: The nature and extent of existing controls are not
Control process documented and evidence of performing them is very limited.
Finances self-assessment of existing processes identified control concerns
with respect to undocumented processes and controls and lack of evidence
that processing tasks and control checks were being carried out. The 2009
independent study confirmed the need for process and control improvements.
The audit similarly noted the limited control documentation and limited
evidence of performance. Specific control weaknesses are detailed in this
report under this observation.
Finance has taken aggressive steps to remedy the situation. Finances
complement of staff has been strengthened and a Manager, Financial Policy
and Projects, has been recruited with responsibility for developing and
maintaining corporate financial and internal control policies and procedures.
To support this initiative, a task force is being formed, with support of
external resources and expertise, to document financial / accounting business
systems such as revenue processes, and to put in place appropriate processing,
reviews, approvals, and monitoring controls as needed.
Some controls over posting of user fees were operating effectively for
example;
Posting of a user fee was supported with documentation from the
originating department;
There was matching of posting documents or revenue calculations to
printed invoices;
Onscreen data entry was compared visually to the posting document;
and

Continued on next page

4. Observations and Recommendations, Continued

Audit Report on Finance: Revenue 11 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

4.4 Input screens had drop down menus to capture the information needed
Control process for posting the transaction to Accounts Receivable.
(continued)
However, controls over both user fees and base assessments, discussed further
in the report, were not effective because of the lack of description of the
controls and evidence of performance and in some cases weak design
determined through discussion with staff .
Without a clear understanding of the revenue control framework and required
controls, process documentation and evidence of control performance, there is
no assurance that all potential user fees are charged and base assessments are
properly calculated and allocated and revenue transactions are posted to the
Accounts Receivable and the General Ledger.

4.4.1 Observation: Reconciliation of revenue transactions and verification of

Reconciliations information originating from other Sectors and Divisions posted to
Accounts Receivable was not evident.
Posting of Federally Regulated Financial Institutions (FRFI) and Pension
Plans assessments involves automated verification of customer accounts and
manual verification / confirmation of the revenue calculations. The initiating
transactions are first entered into a verification process before the information
and resulting revenue transactions are uploaded to the production
environment.
The automated controls and manual verification of revenue calculations are
not documented and the results of them are not kept.
Balancing of revenue transactions from initiation through processing to
posting to the Accounts Receivable is not completed. There is no verification
of the number of FRFI and Pension Plans accounts and totals. Therefore there
is no assurance that all revenue transactions initiated by the originating
Sectors/ divisions are recorded in the Accounts Receivable and General
Ledger.

Recommendation: Controls should be documented and supporting evidence

/ reports should be retained.

Continued on next page

Audit Report on Finance: Revenue 12 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

4. Observations and Recommendations, Continued

4.4.2
Base
Observation: There was no evidence that spreadsheets supporting base
assessment assessment calculations were reviewed and controls performed verified.
calculations
For base assessment, processing spreadsheets were prepared by Finance staff
and reviewed by managers. However, the steps followed to verify and review
the processing, calculations and amounts were not documented. Verification
and review procedures such as printing of show formula, trace precedents,
and trace dependents was not evident.

Recommendation: Controls for verifying the base assessment calculations

should be documented and supporting evidence/ reports should be retained.
4.4.3
Final and
Observation: FIACT process, procedures and related controls are not
Interim documented. Evidence of performing automated checks/controls is not
Assessment documented or not kept. Revenue and control reports are not prepared.
Calculation
Due to the departure of a key person who manually provided data inputs to
Tool (FIACT)
the FRFI base assessments process, Finance authorized the development and
implementation of a new base assessment calculation tool to automatically
extract data input from various databases and perform the base assessment
calculations. FIACT was developed using Rapid Application Development
methodology involving IT designing, developing, and implementing the
system shoulder to shoulder with Finance in order to meet very tight
timelines. FIACT was implemented for the 2009-10 fiscal year. FIACT
incorporates automated checks on input data, financial institutions to be billed
and base assessment transactions to be uploaded to Accounts Receivable.
To confirm the 2009-10 FIACT base assessments amounts recorded in the
Accounts Receivable, Finance ran in parallel their 2008-09 spreadsheet-based
assessment system and conducted a 100% comparison of the individual
assessments amounts calculated by the two systems and comparison to
printed invoices. Although this provided a level of comfort as to assessment
calculations and posting to the Accounts Receivable, it does not provide the
level of control required going forward as the spreadsheet-based system and
controls are not fully documented.
FIACT supports a process that is only conducted once a year. The process is
not fully automated, as it requires some manual intervention and reports.
During the audit, the supporting manual processes and reports could not be
verified and reports developed for the process were not retained for use in
future years. The knowledge of the current processing procedures is with two
individuals. Without documentation of the process there is the potential for
unproductive effort in recreating what needs to be done and the supporting
reports, and increased chance of errors.

Continued on next page

Audit Report on Finance: Revenue 13 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

4. Observations and Recommendations, Continued

4.4.3
Final and
It is important that FIACT be fully documented including: detailed run
Interim instructions with control points; verification of input, processing and output
Assessment data; and assessment reports to support the Accounts Receivable and the
Calculation General Ledger amounts. In addition, FIACT system documentation would
Tool (FIACT) be useful in determining the procedures and control requirements.

Recommendation: With the introduction of FIACT, it is essential that

monitoring and control requirements over processing and posting of
assessments to the Accounts Receivable be identified, documented, and
verified as being in place before the old system is discontinued.
As a key Finance system, FIACT should be reviewed and signed-off by IT
and Finance as a ready production system.
4.4.4
Cost recovery - Observation: The cost allocation model process and controls are not
cost allocation documented. Evidence of performance is not retained.
model
Integral to the calculation of the Federally Regulated Financial Institutions
(FRFI) base assessments (revenue collected from FRFIs) is the allocation of
OSFIs expenses across the OSFIs business activities, supervision and
regulation of FRFI and Private Pension Plans (PPP), Office of the Chief
Actuary and International Assistance.
The FRFI supervision expenses are further broken down by financial service
industries - deposit-taking institutions, life insurance companies, property &
casualty companies, and co-operative credit / retail associations. Using a time
reporting system (TRS), employees record time that is directly associated to
one of the financial service industry groups. Based on the TRS industry time
totals, there is an allocation of Regulation and Supervision Sector expenses
among the industry groups.
We examined the annual cost allocation model procedures and controls
including Finances verification of the OSFI operation expenses among the
business activities as well as the checks followed for tracking OSFIs
expenses by business activity, financial service industry group and their input
into the calculation system (FIACT).

Continued on next page

Audit Report on Finance: Revenue 14 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

4. Observations and Recommendations, Continued

Cost recovery -
cost allocation
Through interviews with Finance staff and examination of supporting
model documents, we found that the process was well structured and managed.
(continued) However, there is no documentation and evidence of the process and controls
applied. There is a risk that the base assessments charged to financial
institutions may not be properly allocated.

Recommendation: The cost allocation model process and controls should be

documented and evidenced with a review sign-off.
4.4.5
System Access Observation: There is no periodic review of system access rights to the
some nine revenue processes.

Access and functionality rights of individuals to revenue processes and the

underlying information are set up by the Senior Corporate Systems
Administrator based on Finances instruction. Finances dedicated Senior
Corporate Systems Administrator maintains a user access table of
individuals with access to revenue systems and information and their
functionality rights such as create, change, print and delete. For access to
revenue processes, data files and posting to the ledgers Finance determines
the level of access to be granted to individuals in Finance and across the
Office.
However, there is not a periodic Finance review of an access list to ensure
that access and rights are changed or removed as appropriate. Inadvertent or
inappropriate access to revenue systems and information could result in data
corruption. This is magnified as not all processing controls are in place.
There is a risk of inappropriate access to and processing of revenue
transactions that could result in data corruption and/or accidental destruction
of data files (information) causing delays in processing and reporting on
revenue transactions.
Recommendation: Regular reviews of the access and functionality rights of
individuals should be completed.

Continued on next page

Audit Report on Finance: Revenue 15 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

4. Observations and Recommendations, Continued

4.4.6
System Observation: Procedures and controls to support the operation of the
Operations underlying systems are not fully documented to ensure accuracy of
Support system output.

The IT Senior Corporate Systems Administrator for Finance is central to

documenting the IT systems as well as in design, development, and putting in
place user procedures and controls. IT processing knowledge and support is
provided by one person. Staff interviews indicated that bringing the
documentation to the level needed would require a multi-team effort.
Without documentation of the IT operations process and reliance on one
person for that knowledge, there is a risk of error occurring in the annual
process for the Financial Institutions base assessment (FIACT) and Pension
Plan Fees assessments.
Recommendation: Document the IT operations process for revenue
transactions and fill the back up position for the IT support.

Management Response

Overview This report has been reviewed by the Director of Finance, Managing Director,
Finance and Corporate Planning, and the Assistant Superintendent, Corporate
Services, who acknowledge its observations and recommendations.
The recommendations will support Finance with its work to documenting the
revenue processes and to put in place appropriate processing, reviews,
approvals, and monitoring controls as needed.

Response We thank the audit team for their collaborative approach in conducting the
revenue audit. Overall, we acknowledge the observations of the audit and
management has taken steps to address the report's recommendations.
Management agrees that documented evidence of its review and approval
steps for certain billing processes needs to be strengthened and retained in its
records.

Continued on next page

Audit Report on Finance: Revenue 16 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

Management Response, Continued

Response
(Continued)
Management confirms that thorough management review of billing processes
did occur and for the base assessment billing process, which represents the
majority of OSFI's revenues (80%), evidence of management review exists.
OSFI continues to be transparent about its base assessment billings by
providing detailed information to financial institutions with their annual
assessment so that they may validate the calculation of their invoice. As well,
since 2000-2001, OSFI's financial statements are audited annually by the
Office of the Auditor General, which provides assurance that there are no
material misstatements or errors in the financial statements. OSFI has
received an unqualified audit opinion each year since 2000-2001.
We accept the observations as they relate to documentation of processes,
procedures and internal controls, as well as cross-training of staff within the
Finance division and the training of staff within the business lines where
some revenue transactions originate. We also acknowledge the need to
include evidence of management review as part of our processes. The
addition of five new resources in Finance Divisions staff complement during
2009-2010 will greatly enable the needed aforementioned improvements.
There are two main areas where Finance has already started the work to
address the audit findings and recommendations:
1. The documentation of revenue processes and controls is currently
underway as part of OSFIs ongoing transition to International Financial
Reporting Standards (IFRS) through the development of policies and
procedures for each of the IFRS standards affecting OSFI, and as part of
OSFIs ongoing implementation of the Treasury Board Policy on Internal
Control (PIC). OSFI must meet the policys requirements with respect to
internal controls over financial reporting by March 31, 2011.
The Finance Division is committed to taking advantage of the work
performed by Internal Audit to pursue the documentation of various processes
not only just within the different Revenue streams but across all Sectors and
Divisions business lines. The Finance Division has retained the services of an
external consultant who will help with the implementation the PIC, and
management is confident that this work will address a number of observations
in the audit report.
2. Targeting cross-training to certain Finance team members and training of
staff in other Sectors and Divisions where revenue transactions originate.
This training will include adequate controls and oversight in order to ensure
that staff and management fully understand and exercise such controls and
oversight, and in accordance with the documented processes.

Continued on next page

Audit Report on Finance: Revenue 17 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

Management Response, Continued

Response
(Continued)
Management is committed to ensuring adequate internal controls are in place
within the Finance Divisions revenue processing to ensure risks are
addressed in a balanced way. As noted, a number of initiatives have already
been undertaken to address some of the observations, others will be addressed
shortly, while a few will require senior management and Executive
Committee endorsement. For example, changes to policies and process
changes across or within Sectors and Divisions to strengthen reporting and
reconciliation practices.
Over the past year, the Finance Division has been successful in staffing a
number of new and existing indeterminate positions in order to implement the
reorganization plan presented to the Executive Committee in the summer of
2009. This has proven to be of great value since we now have a full
complement of staff in the Finance Division, all of which are committed to
making a full contribution to the team.

Audit Report on Finance: Revenue 18 of 19

 Office of the Superintendent of Financial Institutions Canada

A&CS Audit & Consulting Services A&CS

Appendix A - Revenue Control Criteria

Elements Components

Risk Management External and internal risk related to revenue are identified, assessed, mitigation/controls
are in place, consistent with ERM policy
A structure and process exists for monitoring and managing risk /issues as to the accuracy,
completeness and integrity of revenue information, processing and reporting
Corporate and finance risk management is incorporated into revenue risk management
and cascade down to management and staff

Governance: Revenue structures, objectives, and accountabilities exist

Objective setting Revenue plans/budgets are established aligned with OSFIs corporate plans and priorities,
& operating and communicated to management and staff
environment
Revenue policy, guidance and practices incorporating Government and GAAP
requirements are established and communicated to management and staff
Roles and responsibilities of senior management, finance/accounting, Sectors/Divisions,
and those involved in managing and processing of revenue are defined, communicated and
understood
Governance: Budget, financial, accounting & variance information, processing and reporting
Information, requirements are defined, in place and communicated to management and staff
communications
Performance/target information and reporting requirements are defined, in place and
and reporting
communicated to management and staff as appropriate
Continuous identification and implementation of areas for improvement exists
Management and staff technical and competencies are established and incorporated into
informal and formal development and training such as on-the-job training and knowledge
transfer
Technical and competencies development and training requirements are defined, in place
and communicated as appropriate
Control Processes A management oversight process / quality assurance exists for processing and recording
of revenue
Processing of revenue exists that:
Sets out accounting and finance information, performance and reporting
requirements, aligned with Government and GAAP requirements
Sets out manual and automated procedure and control requirements to ensure
completeness, accuracy, authorization, and integrity of revenue transactions and
processing
Sets out processing and decision-making and reporting requirements at finance,
sector/division and senior management levels
Provides operational policy, guidance, and tools including specific guidance for
managing and reporting of exceptions and variances from financial, accounting and
processing requirements
Provides for continuous review/quality assurance including identification,
assessment, reporting and remediation of non-compliance matters/ problems
Provides for recording and reporting of revenue information in the general ledger,
Accounts Receivable and management reporting systems
Back-up and continuity plans of revenue systems and staff are in place

Audit Report on Finance: Revenue 19 of 19